Bruce Schneier is Not Exactly Beyond Fear

It's this
research out of the University of Washington's
Computer Science Department; it looks at Apple Computer's Nike + iPod Sport Kit, which
consists of a small transmitting sensor placed in one of your Nike shoes,
and an equally small receiver you plug into your iPod nano. As you run or
walk, the shoe sensor transmits information on your steps to the iPod,
which displays time, distance, pace, etc. Essentially, it's a very
expensive (but very cool) pedometer.

Expensive but cool, that's Apple in a nutshell. So what's the scary part?

The UW researchers claim:

…
our research shows that the wireless
capabilities in this new gadget can negatively impact a consumer's
personal
privacy and safety.

Whoa! How does that happen?

The UW researchers found that the in-shoe transmitter sends out a unique
identifier, so that (presumably), when in use,
the receiver won't be confused by other
transmitters in the vicinity. They demonstrated that the signal can be picked up
from about 60 feet away. They built receivers and wrote software that
can "identify" transmitters as their owners walk or run near them.

Oh. So, um, really, what's the scary part?

Well, that's where it helps to have a very active imagination.
From the UW page:

Since the unique identifier doesn't change over time, someone could use
the sensor's broadcast messages to track which locations you visit, and
when you visit them. A bad person could use this information to
compromise your personal privacy and safety. We describe specific
example scenarios, like stalking, in our paper.

Their paper is here
(in PDF), and it does go into more detail. For example:

Marvin is a jealous boyfriend
who suspects that his girlfriend, Alice, is cheating on him
with his best friend Bob. Alice wears Nike+ shoes and uses
a Nike+iPod Sport Kit. We assume that Marvin knows the
UID of the Nike+iPod sensor in Alice's shoe; Marvin could
easily learn this UID by, for example, shaking Alice's shoe in
front of a Nike+iPod detector or by turning his Nike+iPod
detector on while walking Alice to her car. Alternately, suppose that, unbeknownst to Alice, Marvin maliciously implants a Nike+iPod sensor in one of Alice's shoes, or hides
a sensor in Alice's jacket or purse.

The UW researchers then imagine that Marvin installs a receiver
near Bob's house, so he can detect when Alice visits, and for how
long. He can do the same thing to Bob. He can install a transmitter
near Alice's jogging path and see if Bob is also jogging by
there at the same
time.

But … but … why is
Marvin going to all that trouble? If he's that suspicious, and he
doesn't respect Alice's privacy, why doesn't he just follow her?

Well, exactly. The UW researchers have (indeed) come up with a neat
hack. But their attempts to expand it into something more than a neat
hack don't really pass cursory skepticism.
Their scenarios posit "attackers" who
are doggedly intent on using their Nike+iPod detectors to carry out
their nefarious activities. But, in all cases, those nefarious
activities could (and in the real world, would) be accomplished
more effectively
with either no technology or (in some cases) more appropriate
technology, like cheap video cameras.

[For example, if you want to get fancy, planting something like this doodad on the
person you want to track would seem to be much more effective
than any imagined Nike+iPod-based attack.]

But what's really ironic about this is Bruce Schneier's "very scary"
pronouncement. His most recent book is titled Beyond
Fear, in which he makes the case
against reflexive and reactionary "defenses" against terrorism.
He memorably railed against imaginining movie-plot threats,
even sponsoring a contest where he invited his readers
to submit their scariest terrorist scenarios. If he'd been
a little more critical in reviewing the UW research, he'd have
seen that their "scary" conclusions are based largely on
movie-plot threats. And not even very good movies: at best, we're
talking the ones that premiere on the Lifetime channel.

One can't help but suspect that Schneier's lack of skepticism is caused
by the fact that he can hype the UW research to support a conclusion
he's previously reached:

Unless we enact some sort of broad law requiring companies to add
security into these sorts of systems, companies will continue to produce
devices that erode our privacy through new technologies.

Fear-mongering is OK, seemingly,
when it's deployed in support of causes he agrees with, in this case
legislation and regulation. Disappointing.

Disclaimers:
Unquoted opinions expressed herein are solely those of the
blogger.

Pun Salad is a participant in the Amazon Services LLC Associates
Program, an affiliate advertising program designed to provide a
means for the blogger to earn fees by linking to Amazon.com and affiliated sites.